Communication information recording device

ABSTRACT

The object of the present invention is to obtain the records of communication through the network. Monitoring the packet data passing through the objective network and adding the detection data corresponding to its type, and by storing the resultant in the analysis result database, the data can be simply and certainly read out after the completion of communications.

TECHNICAL FIELD OF THE INVENTION

The present invention relates to a communication information recordingdevice and is suitably applied to the case of confirming thecommunication information flowing into a network that becomes an objectto be monitored after the completion of communications.

TECHNICAL BACKGROUND OF THE INVENTION

In the network that is constructed to transmit or receive information byusing the applicable LAN (Local Area Network) in the plural number ofterminal devices connected to the LAN, there may be cases where theexistence or non-existence of the communication should be confirmedafter the communication has been conducted.

For example, there may be cases where we want to confirm whether anetwork crime has been conducted or not from the inside of LAN networkor the external network connected to the LAN network (e.g., Internet)and we want to obtain an evidence that the communication has beenconducted (e.g., the evidence of electronic commercial transaction).

As a method to solve such problems, a method to provide software usingthe GUI (Graphical User Interface) for information recording only ineach terminal device has been adopted. However, this has createdcomplicated works when confirming the recorded information after thecommunication has been conducted.

DISCLOSURE OF THE INVENTION

The present invention has been done considering the above points and isproposing a communication information recording device capable of moreeasily confirming the communication information after its recording ortransmission has been conducted.

To obviate such problems according to the present invention, receivingdata of data stream D0 flowing in an objective network 2, and dividingthe received data into session data for one communication D1, andselecting communication item data contained in the divided session dataD1, (HTTP communication, SMTP communication, POP3 communication), (SMTPcommand MAIL FROM and RCPT TO), (POP3 command USER and APOP), (mailheader From, Subject, To, and Cc), (HTTP request GET, POST, HEAD,DELETE, OPTIONS, PUT, LINK, UNLINK, TRACE, CONNECT), (HTTP headerContent-Length, Host), the analysis result data will be formed. Byadding Category=1, 2 . . . to these analysis result data and storingthese in the analysis result database 11, the analysis result data canbe selectively read out from the analysis result database 11 based onthe detection data category=1, 2 . . . , and thus, the communicationresult of the objective network 2 can be confirmed.

By adding the detection data to the communication item data and storingthese in the analysis result database 11, the data of a data streamflowing in the objective network 2 can be easily confirmed after thecommunication has been transmitted by using the detection data. Thereby,the communication information recording device capable of easily findingwhether the crime has been conducted onto the objective network 2 ornot, and capable of more easily securing the evidence that thecommunication has been conducted can be realized.

According to the present invention as described above, since thecommunication data passing through the objective network will bereceived, and the received communication data will be classifiedaccording to the data categories. And adding new detection data thesewill be stored in the analysis result database, the progress ofcommunications using the objective network can be easily and certainlyconfirmed based on the analysis result data stored in this analysisresult database. Thus, the communication information recording devicecapable of easily and surely giving the evidence on the network crimeand the evidence of electronic commerce transaction can be realized.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a block diagram showing the general construction of acommunication information recording device according to the presentinvention.

FIG. 2 is a flow chart showing the communication information recordingprocessing procedure of a communication information recording device 6of FIG. 1.

FIG. 3 is a schematic diagram showing the construction of electronicmail information flowing in the objective network 2 of FIG. 1.

FIG. 4 is a flow chart showing the detailed construction of the maildata analysis step SP5 of FIG. 2.

FIG. 5 is a flow chart showing the detailed construction of mail dataanalysis step SP5 of FIG. 2.

FIG. 6 is a schematic diagram showing the construction of electronicmail data DATA11 (Request to server) to be processed in FIG. 4 and FIG.5.

FIG. 7 is a schematic diagram showing the construction of response dataDATA12 (Response from server) to be processed in FIG. 4 and FIG. 5.

FIG. 8 is a flow chart showing the categorization processing procedure.

FIG. 9 is a flow chart showing the categorization processing procedureas is FIG. 8.

FIG. 10 is a schematic diagram showing the construction of mail categorydatabase to be used in the categorization processing procedure of FIGS.8 and 9.

FIG. 11 is a flow chart showing the detailed construction of the POP3data analysis step SP7 of FIG. 2.

FIG. 12 is a flow chart showing the detailed construction of the POP3data analysis step SP7 of FIG. 2 as is FIG. 11.

FIG. 13 is a schematic diagram showing the construction of the requestdata DATA 21 (Request to server) of the POP3.

FIG. 14 is a schematic diagram showing the construction of electronicmail data DATA 22 (Response from server) of the POP3.

FIG. 15 is a flow chart showing the detailed construction of HTTP dataanalysis step SP8 of FIG. 2.

FIG. 16 is a flow chart showing the detailed construction of the HTTPdata analysis step SP8 of FIG. 2 the same as FIG. 15.

FIG. 17 is a schematic diagram showing the construction of Web*databaseof FIG. 15 and FIG. 16.

FIG. 18 is a schematic diagram showing the POST request data DATA31(Request to server).

FIG. 19 is a schematic diagram showing the POST response data DATA32(Response from server).

FIG. 20 is a schematic diagram showing the request data DATA41 andresponse data DATA42 of the GET request.

FIG. 21 is a flow chart showing the readout processing procedure of theanalysis data.

FIG. 22 is a flow chart showing the intrusion detection analysisprocessing procedure of FIG. 2.

BEST MODE FOR CARRYING OUT THE INVENTION

The present invention will be described in detail with reference to theaccompanying drawings.

(1) General Construction

In FIG. 1, 1 generally shows communication networks in which anobjective network 2 comprising the LAN network is connected to Internetnet 5.

The objective network 2 is connected to the plural number of terminaldevices 3A, 3B . . . and these terminal devices 3A, 3B . . . ,communicate electronic mail information with the mail server 4A and mailservers 15A, 15B . . . provided in the management headquarter 4 with theWeb browser 4B, and simultaneously the mail server 4A communicateselectronic mail information between external mail servers 15A, 15B . . .through the Internet net 5 connected to the objective network 2.

The terminal devices 3A, 3B . . . communicate Web pages between HTTPservers 14A, 14B . . . through the objective network 2 by using the HTTPprotocol.

With this arrangement, the electronic mail information and Web pageinformation flown into the objective network 2 will be monitored by thecommunication information recording device 6 connected to the objectivenetwork 2.

Since the central processing unit (CPU) 9 connected to the programmemory 8 executes communication information recording program through abus 7 using a work memory 10, the communication information recordingdevice 6 executes the analysis processing on the electronic mailinformation and Web page information flowing into the objective network2 according to the communication information recording processingprocedure RT0 shown in FIG. 2, and stores the analysis result datashowing the contents of communication information in the analysis resultdatabase 11 via the bus 7.

(2) Communication Information Recording Processing Procedure

When the CPU 9 of the communication information recording device 6enters into the communication information recording processing procedureRT0 of FIG. 2, it successively captures packet data containingelectronic mail information and Web page information flowing in theobjective network 2 at the step SP1, and stores these into the workmemory 10.

As shown in FIG. 3, since the packet data P1 continuously flow in fromthe communication start point T0 to the communication stop point T1during the communication for a single time, the data stream D0 transmitsthe session data D1 showing one data.

On the other hand, the CPU 9 of the communication information recordingdevice 6 divides the data stream of this data stream D0 per thepredetermined monitor time and adding the monitor file names, memorizesthese in the work memory 10.

While the packet data P1 flowing in the objective network 2 will becaptured in the work memory 10 per the predetermined monitor time, theCPU 9, after conducting the analysis time waiting processing at the stepSP2, and waiting till the analysis time point arrives, at the step SP3,cuts out the packet data captured in the work memory 10 per one sessionand adds the analysis file name.

Then, the CPU 9 executes the analysis subroutine of SMTP mail data onthe electronic mail information to which analysis file names are addedaccording to the type of electronic mail information captured at thestep SP5, or it executes the analysis subroutine of the POP3 mail dataat the step SP7.

At the step SP8, the CPU 9 executes the analysis subroutine of HTTP, andat the step SP9, it executes the intrusion detection analysissubroutine.

Thus, the CPU 9 terminates the analysis on the electronic mailinformation and Web page to which the monitor file names are attached atthe step SP1, and returning to the step SP1, it repeats the analysisprocessing on the following monitor time.

As a result, in the communication information recording device 6, whenthe terminal devices 3A, 3B . . . transmit/receive electronic mails viathe mail server 4A, or when the terminal devices 3A, 3B . . . read outelectronic mail information from the mail server 4A and mail servers15A, 15B . . . , or when it receives Web page from the HTTP servers 14A,14B . . . of the Internet net 5 from terminal devices 3A, 3B . . . viathe objective network 2, the communication information recording device6 receives the electronic mail information and Web page informationflowing in the objective network 2, and stores the analysis result inthe analysis result database 11.

(3) Mail Data Analysis Processing Procedure

The communication information recording device 6 executes the mail dataanalysis processing procedure shown in FIGS. 4 and 5 at the mail dataanalysis processing routine SP5 of FIG. 2.

The processing of this mail data analysis processing routine SP5 will beconducted in the case where the electronic mail information flowing inthe objective network 2 is the electronic mail information transferredbased on the simple mail transfer protocol (SMTP). And this simple mailtransfer protocol (SMTP) mail is formed of electronic mail data DATA11of FIG. 6 as a request data to the mail server 4A.

When the mail server 4A receives this SMTP mail, the mail server 4Atransmits the data of FIG. 7 as a response data DATA12.

In the case of SMTP electronic mail data DATA 11 of FIG. 6, it has theSMTP command S11 in the first 4 lines from the top, and has the mailmain body S12 from the following line to “.”.

Furthermore, the mail main body S12 comprises a mail header unit S13,main text unit S14 and an attachment file unit S15.

When the CPU 9 enters the mail data analysis processing routine SP5 ofFIG. 4, after dividing the mail using the SMTP protocol at the stepSP21, successively obtains “RCPT TO” line and “MAIL FROM” line in theSMTP command S11 (FIG. 6) at the steps SP22 and SP23. And thus, itobtains the data showing that the data is an electronic mail from thename of mail sender to the name of addressee.

Then, at the step SP24, the CPU 9 cuts out from the mail header S13through the end of main text S14 as one file, and by writing this intothe file of the work memory 10 temporarily and putting the mail headerin the associative array at the step SP25, it makes each item of themail header can be referred.

Then next, the CPU 9 judges whether there exist any attachment files ornot at the step SP26, and when an affirmative result is obtained, itmoves to the step SP27 and executes the virus detection module andsimultaneously, judges whether the virus is detected or not at the stepSP28.

If an affirmative result is obtained at this virus detection step SP28,the CPU 9 judges that the electronic mail is Category=2 at the step SP29and moves to the step SP30.

Here, the reason for categorizing the electronic mails received is thatby classifying these electronic mails into categories according to thecontents of the electronic mails and storing in the analysis resultdatabase 11, these data can be read based on the result ofcategorization when reading contents of the analysis result database 11after they are communicated, and thus, this makes the data of theanalysis result database 11 can be read out easily.

Thus, the CPU 9 extracts virus if there exists from the electronic mailhaving the attachment file, and classifies the category of theelectronic mail into Category=2.

On the other hand, if the CPU 9 judges that there is no attachment fileat the step SP26, or when virus has not been detected at the step SP28,the CPU 9 skips the step SP29 and moves to the step SP30.

The processing of this step SP30 is the processing to decode the“Subject” (title) (i.e., to change from 7 bits to generally readable 8bits (MIME decoding)) in the mail header S13 of the SMTP electronic mailDATA 11 (FIG. 6). And then, at the step SP31, the CPU 9 decodes“Filename” (attached file name), and at the following step SP32, the CPU9 decodes “From” item of the mail header unit S13, and at the followingstep SP33, it decodes “To” item of the mail header unit S13 and decodes“Cc” item of the mail header unit S13 at the following step SP34.

By conducting the processing described above, the CPU 9 will find theSMTP mail comes from who and goes to whom, and Cc copy should be sent towhom, and as well as knowing the title and attachment file name, itknows the existence or non-existence of virus.

Under such circumstances, the CPU 9 judges whether the category of theelectronic mail is “Category=2” or not at the step SP35. And when anaffirmative result is obtained, it moves to the step SP36 (FIG. 5) andexecutes the processing (on the SMTP mail in which virus is detected) toenter the mail main text S14 response data DATA12, SMTP command S11, and“To” item, “Cc” item, “From” item, “Subject” item of the mail header S13into the analysis result database 11 as the communication item data toshow the communication contents.

On the other hand, if a negative result is obtained at the step SP35(FIG. 4), this means that the SMTP mail has no virus, and at thismoment, the CPU 9 moves to the step SP37 and judges whether the SMTPcommand “MAIL FROM” item, SMTP command “RCPT TO” item, POP3 command“USER” item, POP3 command “APOP” item, mail header “From” item, mailheader “To” item and the mail header “Cc” item agree with the privatedatabase 12 or not.

Here the private database 12 means that other persons except personsregistered in the private database 12 are not allowed to read thecontents of the SMTP electronic mail.

If an affirmative result is obtained at the step SP37, this means thatother persons would not be allowed to read the contents of the SMTPelectronic mail. And at this moment at the step SP38, as well aschanging the “Subject” item of the mail header to private, the CPU 9changes the “To” item of the mail header to private at the step SP39.Then at the step SP40, setting to “category=1”, the CPU 9 moves to thefollowing step SP41.

Thus, when the CPU 9 confirms that the SMTP mail is not allowed to beseen by other persons, it sets both the mail header “Subject” item andthe mail header “To” item to private, and simultaneously, by regardingas “category=1”, contents of the SMTP mail can be set not to be seeneven after the electronic mail is transmitted.

On the other hand, if a negative result is obtained at the step SP37,this means that the SMTP mail is not prohibited from being seen, and atthis moment, skipping the step SP38 through the step SP40, the CPU 9moves to the step SP41.

This step 41 compares the contents of mail header with the value of“mail-category” set in advance in the mail category database 13 (FIG. 1)and categorizes these.

As shown in FIG. 10, the mail category database 13 sets groups ofcategories and words that belong to mail-categry1, 2, 3, 4 and 5 on themail header “From” item, “To” item, all “ALL” item, “Reply-To” item and“Subject” item as the reference data.

Furthermore, on the “main text” item, the, mail category database 13sets a group of category and words (word) (EUC), word2 (JIS) and word3(Shift-JIS) as the reference data to rate the mail-category5.

Furthermore, on the POP3 item, the mail category database 13 has a groupof category and word (POP) and word2 (APOP) as the reference data tojudge the category6.

At this moment the CPU 9 judges whether the mail header of the SMTP mailagrees with the mail category database 13 or not at the step SP43continued from the step SP41. And when an affirmative result isobtained, the CPU 9 moves to the step SP44, substitutes the value ofcategory into the condition category agreed and moves to the steps SP36.

Here, the SMTP mail is the electronic mail transferred from a terminaldevice to the mail server 4A by the simple mail transfer protocol(SMTP). And the reference data of the header set to the mail categorydatabase 13 are “From” item and “To” item, and the CPU 9 judges whetherthese two items are agreed or not at the step SP75.

On the other hand, when a negative result is obtained at the step SP43,the CPU 9 compares the main text of the mail with the words registeredin the mail-category5 of the main category database 13 at the stepsSP45. And when the CPU 9 judges that these are agreed at the step SP46,substituting the value of category into the category agreed at the stepSP47, it moves to the step SP36.

Besides, if a negative result is obtained at the step SP46, the CPU 9moves to the step SP36 described above.

By executing the SMTP mail data analysis processing procedure SP5 ofFIGS. 4 and 5, the CPU 9 judges whether the monitored electronic mail isallowed to be seen or not, and by judging that to what category theelectronic mail belongs, it stores the resultant in the analysis resultdatabase 11.

(4) POP3 Data Analysis Processing Procedure

At the POP3 data analysis subroutine SP7 (FIG. 2), in the ease where theterminal devices 3A, 3B . . . read the mail pooled in the mail server 4Aand mail servers 15A, 15B . . . , the CPU 9 of the communicationinformation recording device 6 monitors electronic mail informationflowing in the objective network 2 by the POP3 protocol (Post OfficeProtocol Version 3) according to the POP3 data analysis processingprocedure SP7.

When the CPU 9 enters the POP3 data analysis processing procedure SP7,the CPU9 divides the mail based on the POP3 protocol at the step SP75.

Then, a request data DATA21 (shown in FIG. 13) of the electronic mailinformation based on the POP3 protocol will be transmitted to the mailserver 4A from the terminal devices 3A, 3B . . . via the objectivenetwork 2. And as the response to this request, an electronic mail dataDATA22 shown in FIG. 14 will be sent from the mail server 4A and mailservers 15A, 15B to the terminal devices 3A, 3B that sent out therequest.

The electronic mail data DATA22 is formed of a POP3 response S21 andmail main body S22, and the mail main body SP22 comprises a mail headerS23 and a mail main text S24.

Thus, the CPU 9, after dividing the mail in utilizing the POP3 responseS21 at the step SP75, obtains “USER” item (user name is described) or“APOP” item (user name and password are described) of the POP3 commandof the request data DATA21 at steps SP76 and SP77, and simultaneously,at the step SP78, it extracts data from the mail header S23 to the endof mail main text S24 of the electronic mail data DATA22 as one file,and temporarily stores it in the work memory 10.

Then, at the step SP79, after entering the mail header in theassociative array and making each item can be taken out as occasiondemands, the CPU 9 judges whether there exist any attachment files ornot at the step SP80. And if an affirmative result is obtained, itexecutes the virus detection module at the step SP81. Then at the stepSP82, if a judgment result that the virus has been detected is obtained,the CPU 9 judges that the electronic mail is category=2 at the stepSP83, and moves to the following step SP84.

On the other hand, if the judgment that there is no attachment file isobtained at the step SP80 or virus has not been detected at the stepSP82 is obtained, the CPU 9 moves to the step SP84 immediately.

At the step SP84, the CPU 9 decodes the “Subject” item of the mailheader S23 from 7 bits to generally readable 8 bits (MIME decoding).

Similarly, at the following steps SP85, SP86, SP87 and SP88, the CPU 9successively MIME decodes the “attachment file name” item, “From” itemof mail header, “To” item of mail header, “Cc” item of the mail header.

Then, at the step SP89, the CPU 9 judges whether the category of theelectronic mail is Category=2 or not, and when an affirmative result isobtained, it moves to the step SP90 (FIG. 12) and enters “mail maintext”, “response data”, “SMTP command”, mail header “To”, “Cc”, “From”items and “Subject” item into the analysis result database 11.

On the other hand, if a negative result is obtained at the step SP89(FIG. 11), the CPU 9, at the step SP91, judges whether one of items,SMTP command “MAIL FROM” item or “RCPT TO” item, or POP3 command “USER”item or APOP item, or mail header “From” item, “To” item, “Cc” itemagrees with the private data stored in the private database 12.

At the step SP91, if an affirmative result is obtained, this means thatthe third person is not allowed to read the electronic mail, and at thismoment, the CPU 9 changes the mail header “Subject” item to private dataat the step SP92. And at the step SP93 after changing the “From” item toprivate data, it judges that the electronic mail category as category=1at the step SP94, and moving to the step SP90, the CPU 9 registers thison the analysis result database 11.

On the other hand, if a negative result is obtained at the step SP91,this shows that the foregoing processing could not conduct thecategorization. And at this moment, the CPU 9 executes thecategorization processing subroutine SP42 at the step SP95.

When the CPU 9 enters the categorization processing subroutine SP42, asshown in FIGS. 8 and 9, after comparing “From” item in the mail headerof the mail with the word of “mail-category1” of the mail categorydatabase 13 at the step SP51, the CPU 9 judges whether there exist anydata agreed or not at the step SP52. And when an affirmative result isobtained, the CPU 9 moves to the step SP53 and determines the categorycorresponding to the word agreed as the category1.

If a negative result is obtained at the step SP52, the CPU 9 compares“From” item in the mail header with the word of “mail-category2” at thestep SP54. At the step SP55, if there exists data that is agreed, at thestep SP56, the CPU 9 judges the category of the word agreed ascategory2.

Furthermore, at the step SP55 if a negative result is obtained, the CPU9 compares “To” item, “To” item and “Cc” item in the mail header and“MAIL-FROM” item, “RCPT-TO” item in the SMTP command with the word ofthe mail-category3 of the mail category database 13. Moreover, at thestep SP58 if there exists a data agreed, the CPU 9 judges the categorycorresponding to the word agreed as the category3 at the step SP59.

At the step SP84, the CPU 9 decodes the “Subject” item of the mailheader S23 from 7 bits to generally readable 8 bits (MIME decoding).

Furthermore, if a negative result is obtained at the step SP59, the CPU9 compares “Reply-To” item in the mail header with the word of themail-category4 of the mail category database 13 at the step SP60. And atthe step SP61, when it is found that there is agreement, the CPU 9judges the category corresponding to the word agreed as the category4 atthe step SP62.

Furthermore, if a negative result is obtained at the step SP61, the CPU9 compares the mail main text of the SMTP mail with the word, word2 andword3 of the category5 of the mail category database 13 at the stepSP63. And when it judges that there is an agreement in the step SP64(FIG. 9), it judges the category corresponding to the word agreed as thecategory5 at the step SP65.

Furthermore, if a negative result is obtained at the step SP64, the CPU9 compares the head line of the request file of the SMTP mail with theword, word2 of the mail-category6 of the mail category database 13 atthe step SP66; and at the step SP67 if it is found that there isagreement, it judges the category of the word agreed as the category6 atthe step SP68.

With this arrangement, if the judgment results of steps SP53, SP56,SP59, SP62, SP65 and SP68 are obtained, or if a negative result isobtained at the step SP67, the CPU 9 terminates the categorizationprocessing at the step SP69, and returns to the main routine (FIG. 12)from the step SP70.

According to the categorization processing of this step SP95, mailinformation flowing in the objective network 2 will be simultaneouslyclassified into the form of categorization that can be easily controlledby the manager of the management headquarter 4 who controls theobjective network.

At this point, regarding the mail category database 13 of FIG. 10, thecategory numbers are attached respectively to one or the plural numberof words having high priority on 6 items of the mail-category1 throughmail category6. Thus, in the case of reading out the analysis resultdata stored in the analysis result database 11 from the Web browser 4Bof the management headquarter 4, mail information with high priority canoptionally read out.

The first categorization data CAT1 of the mail category database 13 isset as the mail-category1 onto one or multiple “names of mailtransmitting ends” on the “From” item of the mail header unit with thecategory value”.

The second categorization data CAT2 is set as the mail-category2 ontoone or the plural number of “names of receiving ends” on the “To” itemof the mail header unit with the category values.

Furthermore, the third categorization data CAT3 is set as themail-categry3 onto one or multiple items, making a group of all items,i.e., the SMTP command “MAIL FROM” item, “RCPT TO” item and the mailheader “From” item, “To” item, “Cc” item as a group of judgmentinformation with the category values.

Moreover, the fourth categorization data CAT4 is set as themail-category4 by attaching category values to one or multiple“Reply-To” (reply sending destination).

Moreover, the fifth categorization data CAT5 is set as themail-category5 by attaching category values to one or multiple “Subject”item (title) of the mail header.

Moreover, the sixth categorization data CAT6 is set as themail-category6 onto one or multiple “mail main text” item (i.e.,registered characters) per each kanji code ERC, JIS, SHIFT-JIS.

Moreover, the seventh categorization data CAT7 is set as themail-dategory7 onto one or more items in the word (POP), user name, orword2 (APOP), user name and password of the POP3 item (user name of mailserver).

Thus, the CPU9, categorizing the electronic mail information monitoredfrom various sides in utilizing the category classification data CAT1through CAT7 of the mail category database 13, stores these in theanalysis result database 11, and returns to the main routinecommunication information recording processing procedure RTO (FIG. 2)from the step SP96. Thus, the confirmation of electronic mail data fromthe analysis result database 11 can be easily conducted from the Webbrowser 4B of the management headquarter 4 as occasion demands.

(5) HTTP Data Analysis Processing Procedure

The CPU 9 of the communication information recording device 6 executes“HTTP data analysis processing procedure” shown in FIGS. 15 and 16 atthe HTTP data analysis step SP8 (FIG. 2).

When the CPU 9 enters the “HTTP data analysis processing procedure” SP8,it sets the condition to secure the session data from the name databaseat the step SP100.

In the case of this embodiment, when the terminal devices 3A, 3B . . .read Web page information from HTTP servers 14A, 14B . . . with threekinds of port numbers, 80, 3128 and 8080, the CPU 9 stores the Web pageinformation in the analysis result database 11.

Request from the terminal devices 3A, 3B . . . starts from “GET”,“POST”, “HEAD”, “DELETE”, “OPTIONS”, “PUT”, “LINK”, “UNLINK”, “TRACE”,“CONNECT” items.

For example, if the HTTP POST request is sent out from the terminaldevices 3A, 3B . . . , the terminal devices 3A, 3B . . . send HTTP POSTrequest data DATA31 to the HTTP servers 14A, 14B . . . via the objectivenetwork 2. And responding to this the HTTP servers 14A, 14B . . .transmit the HTTP POST response data DATA32 to the terminal devices 3A,3B . . . via the objective network as shown in FIG. 19.

The HTTP POST request data DATA31 comprises a header unit S31 and awrite-in unit S32 as shown in FIG. 18. And as well as sending Web pageread-in information to the HTTP servers 14A, 14B . . . by the headerunit S31, the condition to add the contents written in the write-in unitS32 to the Web page to be read and send out is added.

When the HTTP servers 14A, 14B . . . receive the HTTP POST request dataDATA31, as shown in FIG. 19, the HTTP servers return the header part S33and the main text part S34 formed of processed Web page information tothe terminal devices 3A, 3B . . . that sent out the request as the HTTPPOST response data DATA32.

Moreover, as shown in FIG. 20(A), the terminal devices 3A, 3B . . . sendout Request and HTTP header of the HTTP GET request data DATA41 (thereis no write-in unit S32 as in the case of FIG. 18) to the HTTP servers14A, 14B . . . as the HTTP GET request data DATA41.

At this point, as shown in FIG. 20(B), the HTTP servers 14A, 14B . . .transmit the header unit S42 and the main text unit S43 (in this case,still picture) to the terminal devices 3A, 3B . . . that sent out therequest as the HTTP GET response data DATA42.

When the CPU 9 enters the HTTP data analysis subroutine, reads out therequest data DATA41 from the work memory 10 at the step SP101 continuedfrom the step SP100 (FIG. 15). And at the step SP102, after confirmingthat the request data has started from which request in the HTTP GETrequest, HTTP POST request, HTTP HEAD request . . . HTTP CONNECTrequest, it separates the request data at the step SP103.

Then, at the step SP104, in the case of HTTP POST request, the CPU 9reads the header unit S31 of the HTTP POST request DATA31. While in thecase of HTTP GET request, it reads in the header unit S41 of the HTTPGET request DATA41 (FIG. 20(A)). In this case the request data andresponse data are transferred by the HTTP (HyperText Transfer Protocol).

Then, at the step SP105, the CPU 9 after changing the HTTP header to theassociative array so that each data can be read, judges whether the HTTPheader is NULL or not (e.g., whether HTTP header exists or not).

At this point, if an affirmative result is obtained, this means that theterminal devices 3A, 3B . . . sent the request to the HTTP servers 14A,14B . . . without attaching the HTTP header Host. And at this moment, atthe step SP107, by adding “http://addressee IP (Internet Protocol)address/request text”, the CPU 9 determines the URL (Uniform ResourceLocator), i.e., the resource name to determine the file uniquely, andproceeds to the following step SP108.

On the other hand, if a negative result is obtained at the step SP106,this means that HTTP header Host was attached when the terminal devices3A, 3B . . . sent the request to the HTTP servers 14A, 14B . . . . Andat this moment, at the step SP109, CPU 9 determines “http://HTTPheaderHost/Request text” as the URL and moves to the step SP108.

At the step SP108, the CPU 9 reads the response header of the responsedata. And at the step SP110, it judges whether Content-Length itemexists or not in the response header.

At this point, if a negative result is obtained, this means that thereis a possibility that only single Web page information is included inthe response data. And at this moment, at the step Spill, the CPU 9reads the response data till the next response header of the fileinformation comes out. And at the step SP112, the CPU 9 determines themain text after the response header to the next response header as onefile, and stores this in the analysis result database 11.

On the other hand, if an affirmative result is obtained at the stepSP110, this means that there is a possibility that multiple Web pageinformation are included in the response data. And at this moment, theCPU 9 moves to the step SP113 and judges whether Content-Length=0 or noton the Content-Length item.

At this point, if a negative result is obtained, this means thatmultiple Web pages are included. And at the step SP114, the CPU 9 readsin the data after the response header for Content-Length and moving tothe step SP112, stores the data as one file in the analysis resultdatabase 11.

Then, at the following step SP115, the CPU 9 judges whether theprocessing presently being conducted is the case of HTTP POST request orthe case of including “?” in the URL or not.

Here, if an affirmative result is obtained, this shows that the contentsof Web page information presently being processed are dynamic contents.

More specifically, in the case of POST request, as described above inFIGS. 18 and 19, POST response data DATA32 (FIG. 19) is the datatransferred to the HTTP servers 14A, 14B . . . and the data processedcorresponding to the contents of the processing write-in unit S32 of theHTTP POST request DATA31 (FIG. 18), and accordingly, it has dynamiccontents.

Furthermore, the fact that “?” is included in the contents of URLattached on the step SP107 or SP109 means that the contents of Web pageinformation transmitted to the HTTP servers 14A, 14B . . . have dynamiccontents to be changed afterwards.

Accordingly, if a negative result is obtained at the step SP115, thismeans that the response data is the fixed type Web page information nothaving dynamic contents. And at this moment, the CPU 9, moving to thestep SP116, forms a directory making the data “from URL item to thelast/” as one name in the analysis result database 11. And at thefollowing step SP117, the SPU 9, moving the main text data presentlybeing processed to the location of the directory formed from the URLitem in the analysis result database 11, and as well as storing this inthe analysis result database 11 at the following step SP118, and recordsRequest, Response, URL, the storage location of the main text file inthe web*database 11A provided in the analysis result database 11.

Thus, in the case where Content-Length does not exist in the responseheader (SP110) and in the case where there exists Content-Length butContent-Length is not 0, the analysis result on the Web page not havingdynamic contents (step SP115) can be stored in the analysis resultdatabase 11.

On the other hand, if an affirmative result is obtained at the stepSP113, this means that this is a special case, actually the length ofContent is 0 even though that the response header has multiple Webpages. And at this moment, the CPU 9 moves to the step SP119, andrecords Request, Response, URL, main text file in the auxiliary databaseof the analysis result database 11 (i.e., Web*database 11A) (FIG. 17).

Furthermore, if an affirmative result is obtained at the step SP115,this means that the data presently being processed is using the dynamiccontents and not the static contents. And the CPU 9 moving to the stepSP119, records Request, Response, URL, main text file in theWeb*database 11A.

Thus, at the step SP118 or SP119, since the CPU 9 completes storing theanalysis result on the HTTP request header read in at the step SP104into the analysis result database 11, it moves to the following stepSP120 and judges whether any requests still remain or not. And if anaffirmative result is obtained, the CPU 9 returning to the step SP103,repeats the processing on the remaining requests.

On the other hand, if a negative result is obtained at the step SP120,this means that the processing on all requests contained in one sessionhas been completed. And at this moment, the CPU 9, moving to the stepSP121, judges whether the other session still exists in the work memory10 or not. And when an affirmative result is obtained, the CPU 9 returnsto the step SP101 and repeats the analysis operation of the remainingsession.

If a negative result is obtained at the step SP121, this means that theprocessing of all HTTP data put in the work memory 10 has beencompleted. And at this moment, the CPU 9 returns to the communicationinformation recording processing procedure RTO (FIG. 2) from the stepsSP122.

Furthermore, if a negative result is obtained at the step SP102, thismeans that the “HTTP data analysis” is not the Web page information tobe processed at the step SP8 according to the communication informationrecording processing procedure RTO (FIG. 2). And at this moment, the CPU9 immediately returns to the communication information recordingprocessing procedure RTO (FIG. 2) from the step SP122.

(6) Intrusion Detection Analysis Processing Procedure

When the CPU 9 of the communication information recording device 6enters the intrusion detection analysis step SP9 (FIG. 2), it stores theanalysis result on the communications passed through the objectivenetwork 2 in the analysis result database 11 according to the intrusiondetection analysis processing procedure SP9 as shown in FIG. 22.

When the CPU 9 enters the intrusion detection analysis step SP9, itdelivers the data stream D0 received at the work memory 10 to theintrusion detection program.

Then next, at the step SP142, the CPU 9, referring the data stream D0 tothe intrusion pattern that the intrusion detection program has accordingto the intrusion detection program, records the agreed data stream D0 inthe work memory 11 as a file.

Then, at the step SP143, the CPU 9 extracts the header part and the maintext part of the file based in the file recorded on the work memory 11and forms a result file. Then, at the following step SP144, reading theintrusion pattern, address of transmitting end, address of receivingend, order sender port, order recipient port and the time of occurrencefrom the result file, the CPU 9 enters these in the analysis resultdatabase 11.

With this arrangement, since the communication record of thecommunication information passed through the objective network 2 couldbe stored in the analysis result database 11, the CPU 9 returns to themain routine communication information recording processing procedureRT0 from the step SP145.

Thus, according to the communication detection analysis processingprocedure of FIG. 22, as to the communication information broke into theobjective network 2 without ID, its communication record can be storedin the analysis result database 11. Thus, the analysis result database11 of the communication information recording device 6 can be read outby using the Web browser 4B of the management headquarter 4 as occasiondemands. And thereby the manager of the management headquarter 4 cancertainly grasp the communication record of intruders.

(7) Operation of Communication Information Recording Device

According to the foregoing construction, when a packet data on the mailserver 4A flows in the objective network 2, the communicationinformation recording device 6 (FIG. 1) attaches the monitor file namein each time when it receives the data and puts in the work memory 10.And in each analysis time (SP2, SP3) at the step SP4, attaching theanalysis file name per each session, the communication informationrecording device 6 executes the processing of the mail data analysisstep SP5, or the POP3 server analysis step SP7, or the HTTP dataanalysis step SP8, and stores the analysis results in the analysisresult database 11.

Thus, the manager of the management headquarter 4 can read out theanalysis result data stored in the analysis database 11 of thecommunication information recording device 6 from the Web browser 4B viathe objective network 2 as occasion demandsl. Thereby the confirmationof the mail information flowing in the objective network 2 can becertainly conducted after the communication stops.

In the case of conducting such confirmation, when exchanging the mailinformation between the terminal devices 3A, 3B . . . and the mailserver 4A and mail servers 15A, 15B . . . by the mail server analysisstep SP5 and the POP3 server data analysis step SP7 of FIG. 2, mail datareceived will be categorized and stored in the analysis result database11.

In the case of Web page information, such as the terminal devices 3A, 3B. . . send out requests to the HTTP servers 14A, 14B . . . and receivethe responses at the HTTP data analysis step SP8, the Web pageinformation is classified into the static Web page information and thedynamic Web page information. And as to the static Web page information,the storage location of the analysis result database 11 is reassembledto the auxiliary database 11A and will be stored. Accordingly, when adetection request is sent out to the communication information recordingdevice 6 from the Web browser 4B, the detection information required bythe manager of the management headquarter 4 can be properly and easilyread out enhancing the reproducibility of pages including images withthe simple procedure.

(8) Readout of Analysis Result Data

The analysis result data registered in the analysis result database 11of the communication information recording device 6 will be read out tothe Web browser 4B of the management headquarter 4 according to theanalysis result data readout processing procedure RT1.

In the analysis result data read-out processing procedure RT1, when theCPU 9 receives a detection request from the Web browser 4B at the stepSP131. And referring to the analysis result data of the analysis resultdatabase 11 at the step SP132, CPU 9 extracts the analysis result datapertinent to the detection request from the resultant data referred atthe step SP133.

Then, the CPU 9 sends the extracted analysis data to the Web browser 4Bvia the objective network 2 by using the HTP (HyperText TransferProtocol) at the step SP134 and executes the processing to display thison the display of the Web browser 4B. Then, at the step SP135, the CPU 9terminates the analysis result data read-out processing procedure RT1.

Thus, according to the analysis result data read-out processingprocedure RT1 of FIG. 13 the manager of the management headquarter 4 canalways confirm the mail information and the HTTP communication recordingpassed through the objective network 2 as occasion demands.

(9) Other Embodiment

The embodiment described above has dealt with the case of forming thedirectory in the analysis result database 11 when “forming the directoryusing names from the URL to the last “/” at the step SP116 of the “HTTPdata analysis” processing procedure SP8 (FIGS. 15 and 16). However,instead of this, an external memory device formed of disc recordingdevice and provided separately from the analysis result database 11 maybe used.

INDUSTRIAL UTILIZATION

The present invention can be utilized in the communication system toreceive the communication data flowing into the objective network formedby the LAN and to confirm the contents of communications after thecommunication has been conducted.

1. A communication information recording device, comprising: means forsequentially capturing packet data of a data stream traveling on anobjective network, at prescribed monitoring time intervals, said packetdata transmitted and received by a plurality of terminal devicesconnected to said objective network, and storing said captured packetdata in first memory means with a monitor file name, said capturedpacket data each being in one of a plurality of application protocols;means for reading the packet data stored in the first memory means,based on the monitor file name; means for analyzing the packet dataread, in order to find communication item data at least including asender name, a receiver name and a main body of text, in accordance withsaid one of a plurality of application protocols, and storing analysisresult data including the communication item data found in an analysisresult database serving as second memory means; and means for extractingthe analysis result data corresponding to a search request, from theanalysis result database, in response to the search request given fromthe outside, and transmitting the analysis result data extracted to theoutside for confirmation of contents of said data packets transmitted tothe objective network in the past.
 2. The communication informationrecording device according to claim 1, wherein the means for storingstores request data and response data in the analysis result database,and wherein the request data is from another communication device to amail server being connected to the objective network, and the responsedata is from the mail server to the another communication device.
 3. Thecommunication information recording device according to claim 2, whereinthe means for storing further stores attachment file item data in theanalysis result database as the communication item data.
 4. Thecommunication information recording device according to claim 2, whereinto means for storing further stores a detection result of a computervirus in an attachment file, in the analysis result database as thecommunication item data.
 5. The communication information recordingdevice according to claim 1, wherein the means for storing stores headerfields data and email message body data in the analysis result databaseas the communication data.
 6. The communication information recordingdevice according to claim 1, wherein the means for storing comprises aprivate database configured to store the communication items of mailinformation restricted from being read by readers other thanspecifically identified readers, as private items, and stores theanalysis result data while changing to privatize the communication itemsof the analysis result data that agree with the private items of theprivate database, so as no to read the communication items changed toprivate, from the analysis result database.
 7. The communicationinformation recording device according to claim 1, wherein the means forstoring comprises a category database configured to store category itemsto categorize communication items, in correspondence with thecommunication items, and to store the communication items agree with thecommunication items of the category database, in the analysis resultdatabase with the corresponding category items so as to read theanalysis result data for each category item.
 8. The communicationinformation recording device according to claim 1, wherein the means forstoring stores request data and response data in the analysis resultdatabase as the communication item data, and wherein the request data isfrom a terminal device being connected to the objective network, and theresponse data is from an HTTP server to the terminal device.
 9. Thecommunication information recording device according to claim 8, whereinwhen there exist a Contet-Length item indicating the length of contentin the response data from the HTTP server, the means for storing storesthe content as a file, stores storage location data indicating a storagelocation of corresponding communication data in the analysis resultdatabase, in a storage location database, and reads the storage locationdata being stored in the storage location database to outside, so as toreproduce the communication data.